03:01:38 <lw> polarian: all my music is stored locally and i use Navidrome to stream it to devices (it's also exported via NFS, but i like having centralised playlists and stuff)
05:26:46 <L3Fr0g> Good morning. Which host-to-host VPN solution do you recommend ?
05:47:03 <rtprio> L3Fr0g: that's a pretty broad question
05:47:24 <rtprio> but wireguard seems be a popular solution and is in base
06:03:23 <sfox> why not ipsec?
06:05:43 <L3Fr0g> gre with ipsec i guess
06:55:01 <yourfate> heh, I tried to set up wireguard as a vpn server yesterday, but somehow it doesn't work so far
06:57:46 <yourfate> I followed this guide: https://vlads.me/post/create-a-wireguard-server-on-freebsd-in-15-minutes/
06:57:47 <VimDiesel> Title: Create a WireGuard® server on FreeBSD in no time | webdev & tech
07:26:15 <dautor8518050867> yourfate: What is not working? I've been using it just fine for quite some time.
07:26:45 <dautor8518050867> Are all cloned interfaces not exposed via netgraph? If so, why?
07:27:04 <dautor8518050867> (this question is unrelated to the response above)
07:27:31 <yourfate> I was confused for a second :D
07:27:35 <yourfate> as I have not used netgraph before
07:27:54 <yourfate> I can connect to the wireguard server (I think), but then I don't have any internet connectivity anymore
07:29:57 <dautor8518050867> What did you put inside allowedips and interface address?
07:30:14 <yourfate> server side: allowed IPs 0.0.0.0/0
07:30:35 <yourfate> interface address I used the 10.96.100.1
07:30:41 <mzar> L3Fr0g: please take a look at if_ipsec(4)
07:30:51 <yourfate> which, if I understand it correctly, is then NAT-ed using PF
07:31:07 <yourfate> on the client I also used 0.0.0.0/0 in the allowed IPs
07:33:09 <dautor8518050867> You can look at your routing table. This configuration would mean that the server should add your client as a default gateway and on the client should put default gateway the server.
07:33:21 <dautor8518050867> That is probably not what you wanted.
07:35:42 <yourfate> ah, so what would I need to change?
07:35:45 <dautor8518050867> I can share you my configuration if you want. I just have issues with bsd.to (pastebin) at the moment...
07:36:01 <yourfate> tbh, bsd.to is very falkey
07:36:39 <yourfate> I personally just use gitlab snippets, which I can manage better
07:36:48 <yourfate> requires an account though
07:37:11 <dautor8518050867> I'll send it to you via direct messages.
07:37:19 <yourfate> sure
08:07:30 <crest> L3Fr0g: if you want something simple wireguard is hard to beat
08:07:59 <crest> but ipsec can be faster since it gets to use hardware offloading
08:08:23 <L3Fr0g> ipsec + gre  ?
08:08:23 <crest> the major downside to ipsec is the complex configuration
08:08:48 <crest> L3Fr0g: if it's freebsd <-> freebsd i would use if_ipsec (aka ipsec vti)
08:09:37 <crest> which on the wire is ipsec tunnel mode, but the important difference to traditional ipsec tunnel mode ist that it has a dedicated interface and the policy is scoped to the interface
08:09:47 <crest> so it plays nice with (dynamic) routing
08:14:30 <mzar> crest: if_ipsec(4) is not that complex if you skip IKE
08:14:42 <mzar> and IKE is optional
08:14:48 <crest> mzar: you need ike for dynamic keying
08:15:03 <crest> static manual keys are just a toy setup
08:15:27 <mzar> toy... could be
08:16:02 <crest> in theory you could write your own key exchange daemon, but you probably already know how badly that can go
08:17:02 <mzar> https://bsdrp.net/documentation/examples/gre_ipsec_and_openvpn  <-- plenty of examples
08:17:03 <VimDiesel> Title: VPN with GRE, GIF, IPSec, OpenVPN and Wireguard [BSD Router Project]
08:17:14 <mzar> L3Fr0g: ^^^
08:17:38 <crest> an other option would be openvpn with DCO (data channel offloading) if you're on freebsd 14.0 or newer
08:18:10 <mzar> there are better options for 1:1 FreeBSD with public addresses
08:18:55 <crest> mzar: have you looked at the performance of ovpn(4)?
08:19:02 <mzar> sure
08:19:25 <mzar> I am using in production since a longer while
08:19:37 <crest> in some benchmarks it even beats ipsec according to the author of the freebsd dco driver
08:19:48 <mzar> hm..
08:20:43 <crest> but according to my older benchmarks the fastest vpn available in freebsd that plays nice with dynamic routing is ipsec vti
08:20:51 <mzar> +1
08:21:57 <mzar> if the endpoins can reach each other if_ipsec is a way to go
08:23:02 <mzar> for one to few I'd choose wireguard, for one to many ovpn
08:25:27 <crest> this is my old stongswan config for ipsec vti
08:25:27 <crest> https://gist.github.com/Crest/6cd4782328d509c50b09f403c1a9bc96
08:25:29 <VimDiesel> Title: FreeBSD IPsec VTI · GitHub
08:26:11 <crest> the only strange thing about it is the leftsubnet/rightsubnet. i never found a way to make strongswan and the kernel agree perfectly
08:26:31 <crest> because ipsec vti interfaces want to install their own policy matching all traffic via the interface
08:26:49 <crest> and strongswan wants to install a 0/0 policy
08:27:25 <crest> i side-stepped this conflict my letting strongswan install a policy for the ancient chaos protocol instead of ip
08:28:45 <crest> it's left as an exercise (exorcism?) to the reader to convert it to the new config syntax
08:32:30 <yourfate> I followed this guide: https://vlads.me/post/create-a-wireguard-server-on-freebsd-in-15-minutes/ and now my configs look like this: https://gitlab.com/-/snippets/3717879
08:32:31 <VimDiesel> Title: Create a WireGuard® server on FreeBSD in no time | webdev & tech
08:32:47 <yourfate> weirdly tho, it seems that when I connect to that it messes with the network of the server
08:32:55 <yourfate> and some services running on the server lose internet connection
10:13:18 <polyex> i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??
12:27:39 <polarian> sfox and L3Fr0g wireguard tends to be faster... iirc
14:19:52 <nsoci> list #freebsd
14:30:29 <unixery> Hi, I'm trying to get the number of ACL entries on a directory. Is there a better way than: getfacl testfolder | sed '/^#/d' | wc -l
14:31:06 <unixery> Or any other method to add ACL antries at the end with setfacl?
15:53:53 <hwpplayer1> hi FreeBSD!
15:54:06 <hwpplayer1> Who is responsible for Local User Groups ?
16:02:30 <remiliascarlet> My mom.
16:21:44 <polarian> I am considering slapping OpenBSD in a vm using bhyve however I do not want to use vnc (the server is headless and only accessible via ssh), is there any guides on accessing the vm over a serial device?
16:21:59 <polarian> therefore I can simply manage it over ssh
16:22:20 <polarian> I have read through the handbook on bhyve I didn't see anything mentioning i t
16:35:42 <vortexx> polarian: #bhyve for this type of question, but of course you can connect over serial with bhyve, using a nmdm device. using vm-bhyve helps streamline this (it'll start a console for you) and for OpenBSD you need the magic words at the boot prompt: stty com0 115200 & set tty com0
16:36:06 <vortexx> vm-bhyve is a package for managing bhyve VMs
16:36:48 <polarian> vortexx: thanks for the advice :)
16:36:57 <polarian> bhyve is its own channel cause how big it is :P
16:37:42 <vortexx> 65 nicks, I've been in there for close to a decade
16:38:48 <polarian> 65 nicks! why so many?
16:39:20 <vortexx> it's just easier to answer all the specific "how do I runs this $OS in bhyve" questions in one place where it's more likely to get attention
16:39:48 <vortexx> from people who are actually running said $OS and know the tricks to getting it installed and booted
16:40:01 <vortexx> not that many tricks are needed these days
16:44:05 <polarian> I also found this: https://wiki.freebsd.org/bhyve/OpenBSD
16:44:06 <VimDiesel> Title: bhyve/OpenBSD - FreeBSD Wiki
16:44:17 <polarian> but yeah I will join the channel thanks
16:45:02 <vortexx> https://github.com/churchers/vm-bhyve/wiki/Supported-Guest-Examples#OpenBSD
16:45:03 <VimDiesel> Title: Supported Guest Examples · churchers/vm-bhyve Wiki · GitHub
16:46:20 <vortexx> although in that link it says to use grub to boot OpenBSD, which isn't necessary. UEFI works fine and has ever since OpenBSD grew UEFI support
16:47:19 <vortexx> your wiki page has the correct information too
17:10:49 <L3Fr0g> Guys, i have a freebsd machine with two disks having the same size, i want to set-up soft raid and have no success. I have managed to mirror efi and freebsd-boot, however, after reboot it looks like the system does not know where to boot from
17:11:22 <L3Fr0g> how can i fix this ?
18:44:06 <polarian> L3Fr0g: why raiding them, use zfs no?
18:44:18 <polarian> mirror them in a zfs pool
18:44:26 <polarian> let zfs do all the heavy lifting, thats the FreeBSD way :P
19:07:54 <L3Fr0g> @polarian, can you please tell me how to mirror efi and freebsd-boot partition with zfs ? :-)
19:08:11 <L3Fr0g> i guess that these devices need to be set up as geom mirrors
19:10:57 <moviuro> https://docs.freebsd.org/en/books/handbook/jails/#creating-thin-jail-nullfs -> `mv /usr/local/jails/templates/13.2-RELEASE-base/var /usr/local/jails/templates/13.2-RELEASE-skeleton/var' fails with `mv: /{snip}/var/empty: Operation not permitted' - because of the schg flag on /var/empty
19:10:58 <VimDiesel> Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal
19:11:46 <mzar> L3Fr0g: you want to boot from both of the disks, don't mirror boot, ZFS will do it for you, just install bootloader on both drives
19:12:16 <L3Fr0g> @mzar, what about efi ?
19:12:37 <polarian> the installer does this all for you :P
19:12:38 <mzar> you can have efi partiotions on both drives
19:14:13 <mzar> they don't have to be mirrored, but loader has to be updated when you upgrade ZFS pool
19:14:47 <mzar> if you are not upgrading, usually you don't have to bother about updatin .efi
19:16:58 <mzar> L3Fr0g: how do you like FreeBSD ?
19:18:06 <L3Fr0g> i didn't use it in the last 20 years, i forgot everything
19:18:52 <mzar> OK, I was using all that time for you, it's still great OS, maybe even better now ;-)
19:19:54 <L3Fr0g> @mzar, i want to create a freebsd bhyve cluster with storage in sync using hast over zfs and carp fail-over, is this doable ?
19:20:32 <mzar> ha.. probably overcomplicated
19:21:45 <L3Fr0g> do you have anything better in mind? i really need a high-available set-up, i want to move to freebsd from SLES
19:21:54 <mzar> zfs has it's own replication mechanism, carp code is working fine, but I don't know how are you going to manage that cluster ?
19:23:10 <L3Fr0g> not sure what answer to provide :-)) i don't really know what you mean
19:37:53 <L3Fr0g> when i try to install the bootloader on the second partition i get: gpart: No such geom: /dev/nda0p2
19:39:54 <L3Fr0g> nevermind, i got it
19:47:53 <L3Fr0g> @mzar, any idea on how to take a disk offline to check if the above implementation is working fine? I have no physical access to the system
19:48:07 <L3Fr0g> stopping the disks with camcontrol or glabel won't do it apparently
19:48:33 <L3Fr0g> the disks are not managed using any raid controller
19:50:22 <L3Fr0g> i really need to simulate a disk failure
19:51:12 <L3Fr0g> got it, editing the bootlader conf and blacklisting the device
19:51:22 <rtprio> what happens with camcontrol ?
19:52:33 <L3Fr0g> Operation not permitted
19:55:02 <mzar> L3Fr0g: I don't have any NVM drives, but in CURRENT there is nvmft(4) - The nvmft driver provides the kernel component of an NVM Express over Fabrics controller.  The NVMeoF controller is the server exporting namespaces backed by local files and volumes to remote hosts - interesting
20:15:37 <L3Fr0g> booting from both drives seems to be working fine, thanks
21:46:18 <polyex> i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??
21:46:24 <polyex> i got clear_tmp_enable="YES" on all my systems. but only some of them have /etc/rc.d/cleartmp in the sudo service -e output. why??
21:46:31 <polyex> oops
22:31:38 <rtprio> but cleartmp isn't really a service
23:26:40 <ajtim> nicklist.pl